sfc: fix an off-by-one compare on an array size
authorColin Ian King <colin.king@canonical.com>
Tue, 31 Jan 2017 16:30:02 +0000 (16:30 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 31 Jan 2017 17:25:32 +0000 (12:25 -0500)
encap_type should be checked to see if it is greater or equal to
the size of array map to fix an off-by-one array size check. This
fixes an array overrun read as detected by static analysis by
CoverityScan, CID#1398883 ("Out-of-bounds-read")

Fixes: 9b41080125176841e ("sfc: insert catch-all filters for encapsulated traffic")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/sfc/ef10.c

index 8bec9383d754971455f49b679ac1219624a4ab06..0475f1831b9222d51cf3b469278f4ac19e29c02e 100644 (file)
@@ -5080,7 +5080,7 @@ static int efx_ef10_filter_insert_def(struct efx_nic *efx,
 
                /* quick bounds check (BCAST result impossible) */
                BUILD_BUG_ON(EFX_EF10_BCAST != 0);
-               if (encap_type > ARRAY_SIZE(map) || map[encap_type] == 0) {
+               if (encap_type >= ARRAY_SIZE(map) || map[encap_type] == 0) {
                        WARN_ON(1);
                        return -EINVAL;
                }